@blamejs/core 0.14.1 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (275) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/_test/crypto-fixtures.js +3 -3
  3. package/lib/a2a-tasks.js +18 -18
  4. package/lib/a2a.js +4 -4
  5. package/lib/acme.js +3 -3
  6. package/lib/agent-idempotency.js +1 -1
  7. package/lib/agent-orchestrator.js +8 -8
  8. package/lib/agent-posture-chain.js +2 -2
  9. package/lib/agent-saga.js +1 -1
  10. package/lib/agent-snapshot.js +1 -1
  11. package/lib/agent-stream.js +1 -1
  12. package/lib/agent-tenant.js +1 -1
  13. package/lib/agent-trace.js +3 -3
  14. package/lib/ai-capability.js +1 -1
  15. package/lib/ai-dp.js +4 -4
  16. package/lib/ai-input.js +3 -3
  17. package/lib/ai-model-manifest.js +7 -7
  18. package/lib/ai-pref.js +3 -3
  19. package/lib/archive-gz.js +2 -2
  20. package/lib/archive-read.js +25 -25
  21. package/lib/archive-tar-read.js +2 -2
  22. package/lib/archive-tar.js +20 -20
  23. package/lib/archive-wrap.js +10 -10
  24. package/lib/argon2-builtin.js +1 -1
  25. package/lib/asn1-der.js +34 -34
  26. package/lib/atomic-file.js +2 -2
  27. package/lib/audit-daily-review.js +3 -3
  28. package/lib/audit-sign.js +5 -5
  29. package/lib/audit-tools.js +1 -1
  30. package/lib/audit.js +2 -2
  31. package/lib/auth/acr-vocabulary.js +2 -2
  32. package/lib/auth/bot-challenge.js +3 -3
  33. package/lib/auth/ciba.js +7 -7
  34. package/lib/auth/dpop.js +3 -3
  35. package/lib/auth/fido-mds3.js +8 -8
  36. package/lib/auth/jwt-external.js +5 -5
  37. package/lib/auth/oauth.js +2 -2
  38. package/lib/auth/oid4vci.js +9 -9
  39. package/lib/auth/oid4vp.js +2 -2
  40. package/lib/auth/openid-federation.js +2 -2
  41. package/lib/auth/passkey.js +3 -3
  42. package/lib/auth/saml.js +23 -23
  43. package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  44. package/lib/auth/sd-jwt-vc.js +4 -4
  45. package/lib/auth/status-list.js +10 -10
  46. package/lib/auth/step-up.js +1 -1
  47. package/lib/auth-bot-challenge.js +1 -1
  48. package/lib/backup/index.js +7 -7
  49. package/lib/base32.js +8 -8
  50. package/lib/budr.js +2 -2
  51. package/lib/cache-status.js +2 -2
  52. package/lib/calendar.js +23 -23
  53. package/lib/cbor.js +12 -12
  54. package/lib/cdn-cache-control.js +1 -1
  55. package/lib/cert.js +5 -5
  56. package/lib/cloud-events.js +5 -5
  57. package/lib/cms-codec.js +21 -21
  58. package/lib/codepoint-class.js +12 -12
  59. package/lib/compliance-sanctions-fuzzy.js +4 -4
  60. package/lib/compliance-sanctions.js +4 -4
  61. package/lib/compliance.js +29 -29
  62. package/lib/content-credentials.js +36 -36
  63. package/lib/cookies.js +1 -1
  64. package/lib/cose.js +13 -13
  65. package/lib/cra-report.js +1 -1
  66. package/lib/crdt.js +1 -1
  67. package/lib/crypto-field.js +2 -2
  68. package/lib/crypto-xwing.js +7 -7
  69. package/lib/crypto.js +6 -6
  70. package/lib/csp.js +2 -2
  71. package/lib/cwt.js +4 -4
  72. package/lib/dark-patterns.js +2 -2
  73. package/lib/data-act.js +2 -2
  74. package/lib/db-file-lifecycle.js +4 -4
  75. package/lib/db-query.js +1 -1
  76. package/lib/db.js +6 -6
  77. package/lib/dbsc.js +13 -13
  78. package/lib/did.js +17 -17
  79. package/lib/dora.js +4 -4
  80. package/lib/dsr.js +1 -1
  81. package/lib/early-hints.js +2 -2
  82. package/lib/eat.js +4 -4
  83. package/lib/external-db-migrate.js +1 -1
  84. package/lib/external-db.js +1 -1
  85. package/lib/flag-cache.js +1 -1
  86. package/lib/flag-evaluation-context.js +2 -2
  87. package/lib/graphql-federation.js +4 -4
  88. package/lib/guard-agent-registry.js +5 -5
  89. package/lib/guard-archive.js +24 -24
  90. package/lib/guard-cidr.js +33 -33
  91. package/lib/guard-csv.js +1 -1
  92. package/lib/guard-domain.js +10 -10
  93. package/lib/guard-dsn.js +4 -4
  94. package/lib/guard-email.js +19 -19
  95. package/lib/guard-event-bus-payload.js +4 -4
  96. package/lib/guard-event-bus-topic.js +6 -6
  97. package/lib/guard-filename.js +7 -7
  98. package/lib/guard-graphql.js +9 -9
  99. package/lib/guard-html-wcag-tagwalk.js +1 -1
  100. package/lib/guard-html-wcag.js +4 -4
  101. package/lib/guard-html.js +7 -7
  102. package/lib/guard-idempotency-key.js +6 -6
  103. package/lib/guard-image.js +4 -4
  104. package/lib/guard-imap-command.js +17 -17
  105. package/lib/guard-jmap.js +20 -20
  106. package/lib/guard-json.js +12 -12
  107. package/lib/guard-jsonpath.js +3 -3
  108. package/lib/guard-jwt.js +4 -4
  109. package/lib/guard-list-id.js +7 -7
  110. package/lib/guard-list-unsubscribe.js +8 -8
  111. package/lib/guard-mail-compose.js +4 -4
  112. package/lib/guard-mail-move.js +5 -5
  113. package/lib/guard-mail-query.js +3 -3
  114. package/lib/guard-mail-reply.js +3 -3
  115. package/lib/guard-mail-sieve.js +6 -6
  116. package/lib/guard-managesieve-command.js +25 -25
  117. package/lib/guard-markdown.js +31 -31
  118. package/lib/guard-message-id.js +5 -5
  119. package/lib/guard-mime.js +1 -1
  120. package/lib/guard-oauth.js +3 -3
  121. package/lib/guard-pdf.js +6 -6
  122. package/lib/guard-pop3-command.js +11 -11
  123. package/lib/guard-posture-chain.js +5 -5
  124. package/lib/guard-regex.js +10 -10
  125. package/lib/guard-saga-config.js +5 -5
  126. package/lib/guard-smtp-command.js +6 -6
  127. package/lib/guard-snapshot-envelope.js +3 -3
  128. package/lib/guard-stream-args.js +4 -4
  129. package/lib/guard-svg.js +11 -11
  130. package/lib/guard-tenant-id.js +5 -5
  131. package/lib/guard-time.js +15 -15
  132. package/lib/guard-trace-context.js +4 -4
  133. package/lib/guard-uuid.js +11 -11
  134. package/lib/guard-xml.js +12 -12
  135. package/lib/guard-yaml.js +16 -16
  136. package/lib/honeytoken.js +5 -5
  137. package/lib/http-client.js +1 -1
  138. package/lib/http-message-signature.js +2 -2
  139. package/lib/iab-mspa.js +3 -3
  140. package/lib/iab-tcf.js +70 -70
  141. package/lib/inbox.js +4 -4
  142. package/lib/ip-utils.js +15 -15
  143. package/lib/jose-jwe-experimental.js +2 -2
  144. package/lib/json-path.js +3 -3
  145. package/lib/json-schema.js +1 -1
  146. package/lib/jsonapi.js +3 -3
  147. package/lib/jtd.js +2 -2
  148. package/lib/link-header.js +1 -1
  149. package/lib/local-db-thin.js +1 -1
  150. package/lib/log.js +1 -1
  151. package/lib/lro.js +4 -4
  152. package/lib/mail-agent.js +1 -1
  153. package/lib/mail-arc-sign.js +6 -6
  154. package/lib/mail-auth.js +43 -43
  155. package/lib/mail-bimi.js +3 -3
  156. package/lib/mail-crypto-pgp.js +31 -31
  157. package/lib/mail-crypto-smime.js +5 -5
  158. package/lib/mail-dav.js +1 -1
  159. package/lib/mail-deploy.js +39 -39
  160. package/lib/mail-dkim.js +11 -11
  161. package/lib/mail-greylist.js +12 -12
  162. package/lib/mail-helo.js +1 -1
  163. package/lib/mail-journal.js +8 -8
  164. package/lib/mail-rbl.js +7 -7
  165. package/lib/mail-scan.js +7 -7
  166. package/lib/mail-send-deliver.js +2 -2
  167. package/lib/mail-server-imap.js +12 -12
  168. package/lib/mail-server-jmap.js +16 -16
  169. package/lib/mail-server-managesieve.js +4 -4
  170. package/lib/mail-server-mx.js +17 -17
  171. package/lib/mail-server-pop3.js +4 -4
  172. package/lib/mail-server-rate-limit.js +2 -2
  173. package/lib/mail-server-submission.js +21 -21
  174. package/lib/mail-sieve.js +2 -2
  175. package/lib/mail-spam-score.js +5 -5
  176. package/lib/mail-srs.js +12 -12
  177. package/lib/mail-store-fts.js +2 -2
  178. package/lib/mail-store.js +8 -8
  179. package/lib/mail-unsubscribe.js +4 -4
  180. package/lib/mail.js +4 -4
  181. package/lib/mcp-tool-registry.js +4 -4
  182. package/lib/mcp.js +8 -8
  183. package/lib/mdoc.js +2 -2
  184. package/lib/metrics.js +8 -8
  185. package/lib/middleware/age-gate.js +1 -1
  186. package/lib/middleware/api-encrypt.js +7 -7
  187. package/lib/middleware/assetlinks.js +2 -2
  188. package/lib/middleware/asyncapi-serve.js +2 -2
  189. package/lib/middleware/bearer-auth.js +5 -5
  190. package/lib/middleware/body-parser.js +5 -5
  191. package/lib/middleware/compose-pipeline.js +15 -15
  192. package/lib/middleware/csp-report.js +4 -4
  193. package/lib/middleware/daily-byte-quota.js +1 -1
  194. package/lib/middleware/dpop.js +1 -1
  195. package/lib/middleware/headers.js +2 -2
  196. package/lib/middleware/host-allowlist.js +1 -1
  197. package/lib/middleware/idempotency-key.js +12 -12
  198. package/lib/middleware/nel.js +1 -1
  199. package/lib/middleware/openapi-serve.js +2 -2
  200. package/lib/middleware/protected-resource-metadata.js +2 -2
  201. package/lib/middleware/require-aal.js +1 -1
  202. package/lib/middleware/require-bound-key.js +2 -2
  203. package/lib/middleware/require-content-type.js +1 -1
  204. package/lib/middleware/require-methods.js +1 -1
  205. package/lib/middleware/require-step-up.js +2 -2
  206. package/lib/middleware/scim-server.js +1 -1
  207. package/lib/middleware/security-txt.js +3 -3
  208. package/lib/middleware/tus-upload.js +12 -12
  209. package/lib/middleware/web-app-manifest.js +2 -2
  210. package/lib/network-byte-quota.js +1 -1
  211. package/lib/network-dns-resolver.js +23 -23
  212. package/lib/network-dns.js +29 -29
  213. package/lib/network-dnssec.js +33 -33
  214. package/lib/network-smtp-policy.js +10 -10
  215. package/lib/network-tls.js +87 -87
  216. package/lib/network-tsig.js +33 -33
  217. package/lib/nis2-report.js +1 -1
  218. package/lib/ntp-check.js +3 -3
  219. package/lib/observability-otlp-exporter.js +17 -17
  220. package/lib/observability-tracer.js +6 -6
  221. package/lib/observability.js +8 -8
  222. package/lib/openapi-yaml.js +1 -1
  223. package/lib/openapi.js +1 -1
  224. package/lib/outbox.js +6 -6
  225. package/lib/pqc-agent.js +4 -4
  226. package/lib/pqc-software.js +1 -1
  227. package/lib/privacy-pass.js +5 -5
  228. package/lib/problem-details.js +5 -5
  229. package/lib/promise-pool.js +1 -1
  230. package/lib/protobuf-encoder.js +1 -1
  231. package/lib/redact.js +2 -2
  232. package/lib/request-helpers.js +1 -1
  233. package/lib/router.js +10 -10
  234. package/lib/safe-async.js +2 -2
  235. package/lib/safe-dns.js +71 -71
  236. package/lib/safe-ical.js +19 -19
  237. package/lib/safe-icap.js +24 -24
  238. package/lib/safe-jsonpath.js +2 -2
  239. package/lib/safe-mime.js +10 -10
  240. package/lib/safe-mount-info.js +3 -3
  241. package/lib/safe-redirect.js +1 -1
  242. package/lib/safe-sieve.js +23 -23
  243. package/lib/safe-smtp.js +1 -1
  244. package/lib/safe-vcard.js +14 -14
  245. package/lib/sandbox.js +5 -5
  246. package/lib/sec-cyber.js +1 -1
  247. package/lib/self-update-standalone-verifier.js +3 -3
  248. package/lib/self-update.js +3 -3
  249. package/lib/server-timing.js +3 -3
  250. package/lib/session-device-binding.js +7 -7
  251. package/lib/session.js +8 -8
  252. package/lib/standard-webhooks.js +4 -4
  253. package/lib/storage.js +2 -2
  254. package/lib/stream-throttle.js +1 -1
  255. package/lib/structured-fields.js +15 -15
  256. package/lib/subject.js +1 -1
  257. package/lib/tcpa-10dlc.js +1 -1
  258. package/lib/tenant-quota.js +3 -3
  259. package/lib/test-harness.js +1 -1
  260. package/lib/tracing.js +1 -1
  261. package/lib/tsa.js +5 -5
  262. package/lib/uri-template.js +5 -5
  263. package/lib/vault/index.js +2 -2
  264. package/lib/vault/seal-pem-file.js +4 -4
  265. package/lib/vc.js +2 -2
  266. package/lib/vendor-data.js +1 -1
  267. package/lib/watcher.js +4 -4
  268. package/lib/web-push-vapid.js +21 -21
  269. package/lib/webhook.js +2 -2
  270. package/lib/websocket.js +3 -3
  271. package/lib/worker-pool.js +3 -3
  272. package/lib/ws-client.js +24 -24
  273. package/lib/xml-c14n.js +2 -2
  274. package/package.json +1 -1
  275. package/sbom.cdx.json +6 -6
package/lib/backup/index.js CHANGED
@@ -1118,7 +1118,7 @@ function bundleAdapterStorage(opts) {
1118
1118
  var passphraseMinEntropyBits;
1119
1119
  if (opts.passphraseMinEntropyBits === undefined ||
1120
1120
  opts.passphraseMinEntropyBits === null) {
1121
- passphraseMinEntropyBits = 80; // allow:raw-byte-literal — entropy-bits default floor, not byte count
1121
+ passphraseMinEntropyBits = 80; // entropy-bits default floor, not byte count
1122
1122
  } else if (Number.isFinite(opts.passphraseMinEntropyBits) &&
1123
1123
  opts.passphraseMinEntropyBits >= 0) {
1124
1124
  passphraseMinEntropyBits = Math.floor(opts.passphraseMinEntropyBits);
@@ -1164,8 +1164,8 @@ function bundleAdapterStorage(opts) {
1164
1164
  // v0.12.11 — passphrase strategy under HIPAA / PCI-DSS raises
1165
1165
  // the entropy floor to 128 bits (matches the framework's
1166
1166
  // existing crypto-grade-password discipline for sealed-storage).
1167
- if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { // allow:raw-byte-literal — entropy-bits floor, not byte count
1168
- passphraseMinEntropyBits = 128; // allow:raw-byte-literal — entropy-bits floor, not byte count
1167
+ if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { // entropy-bits floor, not byte count
1168
+ passphraseMinEntropyBits = 128; // entropy-bits floor, not byte count
1169
1169
  }
1170
1170
  }
1171
1171
  // Codex P2 on v0.12.8 PR #159 — tar mode builds the whole archive
@@ -1754,7 +1754,7 @@ function bundleAdapterStorage(opts) {
1754
1754
  // per-bundle rewrap.
1755
1755
  async rewrapAllBundles(opts) {
1756
1756
  opts = opts || {};
1757
- var concurrency = 4; // allow:raw-byte-literal — default fan-out, not byte count
1757
+ var concurrency = 4; // default fan-out, not byte count
1758
1758
  if (typeof opts.concurrency === "number" && Number.isFinite(opts.concurrency) &&
1759
1759
  opts.concurrency > 0) {
1760
1760
  concurrency = Math.max(1, Math.floor(opts.concurrency));
@@ -1855,7 +1855,7 @@ function bundleAdapterStorage(opts) {
1855
1855
  // a silent ok=0/failed=0 report on non-empty storage. Default
1856
1856
  // 4; minimum 1; non-finite / non-positive falls back to
1857
1857
  // default.
1858
- var concurrency = 4; // allow:raw-byte-literal — default fan-out, not byte count
1858
+ var concurrency = 4; // default fan-out, not byte count
1859
1859
  if (typeof vOpts.concurrency === "number" && Number.isFinite(vOpts.concurrency) &&
1860
1860
  vOpts.concurrency > 0) {
1861
1861
  concurrency = Math.max(1, Math.floor(vOpts.concurrency));
@@ -2096,7 +2096,7 @@ function bundleAdapterStorage(opts) {
2096
2096
  // capped 16-byte readFile via the fallback path (still
2097
2097
  // bounded; better than full payload).
2098
2098
  if (typeof adapter.readPartial === "function") {
2099
- var probe = await adapter.readPartial(payloadKey, 16); // allow:raw-byte-literal — 16-byte probe head, magic comparison
2099
+ var probe = await adapter.readPartial(payloadKey, 16); // 16-byte probe head, magic comparison
2100
2100
  envelopeKind = archiveLazy().sniffEnvelope(probe);
2101
2101
  } else {
2102
2102
  // Legacy adapter — readPartial missing. Operators using
@@ -2389,7 +2389,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
2389
2389
  // is consumed. PAGINATION_CAP guards against a runaway
2390
2390
  // server returning truncated:true forever (defense-in-depth;
2391
2391
  // shipped backends honour the contract).
2392
- var PAGINATION_CAP = 1000; // allow:raw-byte-literal — page count cap, not byte count
2392
+ var PAGINATION_CAP = 1000; // page count cap, not byte count
2393
2393
  var out = [];
2394
2394
  var token = null;
2395
2395
  var pages = 0;
package/lib/base32.js CHANGED
@@ -42,7 +42,7 @@ Object.keys(ALPHABETS).forEach(function (v) {
42
42
  LOOKUPS[v] = map;
43
43
  });
44
44
 
45
- var GROUP = 8; // allow:raw-byte-literal — Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
45
+ var GROUP = 8; // Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
46
46
  var BITS = 5; // 5 bits per Base32 symbol
47
47
 
48
48
  function _alphabet(variant) {
@@ -82,14 +82,14 @@ function encode(input, opts) {
82
82
  var out = "";
83
83
  var value = 0, bits = 0;
84
84
  for (var i = 0; i < buf.length; i++) {
85
- value = (value << 8) | buf[i]; // allow:raw-byte-literal — shift in one input byte
86
- bits += 8; // allow:raw-byte-literal — eight bits per input byte
85
+ value = (value << 8) | buf[i]; // shift in one input byte
86
+ bits += 8; // eight bits per input byte
87
87
  while (bits >= BITS) {
88
- out += alphabet.charAt((value >>> (bits - BITS)) & 31); // allow:raw-byte-literal — low 5 bits mask (2^5 - 1)
88
+ out += alphabet.charAt((value >>> (bits - BITS)) & 31); // low 5 bits mask (2^5 - 1)
89
89
  bits -= BITS;
90
90
  }
91
91
  }
92
- if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); // allow:raw-byte-literal — final partial group, low 5 bits
92
+ if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); // final partial group, low 5 bits
93
93
  if (pad) while (out.length % GROUP !== 0) out += "=";
94
94
  return out;
95
95
  }
@@ -138,9 +138,9 @@ function decode(str, opts) {
138
138
  if (idx === undefined) throw new Base32Error("base32/bad-char", "base32.decode: invalid Base32 character '" + str.charAt(i) + "' at index " + i);
139
139
  value = (value << BITS) | idx;
140
140
  bits += BITS;
141
- if (bits >= 8) { // allow:raw-byte-literal — emit a full output byte
142
- bytes.push((value >>> (bits - 8)) & 0xff); // allow:raw-byte-literal — eight-bit output byte mask
143
- bits -= 8; // allow:raw-byte-literal — consumed eight bits
141
+ if (bits >= 8) { // emit a full output byte
142
+ bytes.push((value >>> (bits - 8)) & 0xff); // eight-bit output byte mask
143
+ bits -= 8; // consumed eight bits
144
144
  }
145
145
  }
146
146
  return Buffer.from(bytes);
package/lib/budr.js CHANGED
@@ -30,8 +30,8 @@ var audit = require("./audit");
30
30
  var { defineClass } = require("./framework-error");
31
31
  var BudrError = defineClass("BudrError", { alwaysPermanent: true });
32
32
 
33
- var SERVICE_MAX = 128; // allow:raw-byte-literal — string-length cap, not bytes
34
- var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; // allow:raw-byte-literal — string-length cap; not bytes
33
+ var SERVICE_MAX = 128; // string-length cap, not bytes
34
+ var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; // string-length cap; not bytes
35
35
  var TIERS = ["platinum", "gold", "silver", "bronze"];
36
36
  var CRITICALITIES = ["critical", "high", "medium", "low"];
37
37
 
package/lib/cache-status.js CHANGED
@@ -47,7 +47,7 @@ var CacheStatusError = defineClass("CacheStatusError", { alwaysPermanent: true }
47
47
  // per RFC 8941: starts with ALPHA or "*", continues with tchar / ":"
48
48
  // / "/". tchar excludes `, ; " \ space and all controls.
49
49
  var CACHE_NAME_RE = /^[A-Za-z*][!#$%&'*+\-.^_`|~0-9A-Za-z:/]*$/; // allow:duplicate-regex — sf-token shape per RFC 8941 §3.3.4
50
- var CACHE_NAME_MAX = 128; // allow:raw-byte-literal — cache-name length cap, not bytes
50
+ var CACHE_NAME_MAX = 128; // cache-name length cap, not bytes
51
51
  var FWD_VALUES = Object.freeze(["bypass", "method", "uri-miss", "vary-miss", "miss", "request", "stale", "partial"]);
52
52
  var BOOLEAN_PARAMS = Object.freeze(["hit", "stored", "collapsed"]);
53
53
  // Reserved parameter names per RFC 9211 §2 — the framework knows their
@@ -153,7 +153,7 @@ function entryString(entry) {
153
153
  }
154
154
  if (entry.fwdStatus !== undefined && entry.fwdStatus !== null) {
155
155
  if (typeof entry.fwdStatus !== "number" || !Number.isInteger(entry.fwdStatus) ||
156
- entry.fwdStatus < 100 || entry.fwdStatus > 599) { // allow:raw-byte-literal — HTTP status range
156
+ entry.fwdStatus < 100 || entry.fwdStatus > 599) { // HTTP status range
157
157
  throw new CacheStatusError("cache-status/bad-fwd-status",
158
158
  "entry.fwdStatus must be an integer 100..599");
159
159
  }
package/lib/calendar.js CHANGED
@@ -98,7 +98,7 @@ var JSCAL_NOTE_STATUS = Object.freeze({
98
98
 
99
99
  // Recurrence-expansion caps. Mirror b.safeIcal's RRULE limits so the
100
100
  // expand path can't outpace what the parser already permitted.
101
- var MAX_EXPAND_INSTANCES = 4096; // allow:raw-byte-literal — instance count cap, not bytes
101
+ var MAX_EXPAND_INSTANCES = 4096; // instance count cap, not bytes
102
102
  var MAX_EXPAND_SPAN_MS = 10 * 365 * 24 * 60 * 60 * 1000; // allow:raw-byte-literal + allow:raw-time-literal — 10 year max expansion span
103
103
 
104
104
  /**
@@ -138,7 +138,7 @@ function validate(jsCal) {
138
138
  throw new CalendarError("calendar/no-uid",
139
139
  "b.calendar.validate: uid is required (RFC 8984 §5.1.4)");
140
140
  }
141
- if (jsCal.uid.length > 1024) { // allow:raw-byte-literal — anti-DoS uid length cap
141
+ if (jsCal.uid.length > 1024) { // anti-DoS uid length cap
142
142
  throw new CalendarError("calendar/oversize-uid",
143
143
  "b.calendar.validate: uid exceeds 1024 bytes");
144
144
  }
@@ -183,7 +183,7 @@ function validate(jsCal) {
183
183
  // refuse.
184
184
  if (typeof jsCal.percentComplete !== "number" || !isFinite(jsCal.percentComplete) ||
185
185
  !Number.isInteger(jsCal.percentComplete) ||
186
- jsCal.percentComplete < 0 || jsCal.percentComplete > 100) { // allow:raw-byte-literal — RFC 8984 §6 percent range
186
+ jsCal.percentComplete < 0 || jsCal.percentComplete > 100) { // RFC 8984 §6 percent range
187
187
  throw new CalendarError("calendar/bad-percent",
188
188
  "b.calendar.validate: Task.percentComplete MUST be an integer in 0..100 (RFC 8984 §6.4.4 UnsignedInt)");
189
189
  }
@@ -586,7 +586,7 @@ function expandRecurrence(event, opts) {
586
586
  // specified, they are expanded independently and the resulting
587
587
  // instances are UNIONed (deduped + sorted ascending). Per-rule
588
588
  // count caps apply per-rule per the same section.
589
- var globalStepBudget = MAX_EXPAND_INSTANCES * 366; // allow:raw-byte-literal — total days/year step budget shared across all rules
589
+ var globalStepBudget = MAX_EXPAND_INSTANCES * 366; // total days/year step budget shared across all rules
590
590
  var seen = Object.create(null);
591
591
  var unioned = [];
592
592
  for (var rrIndex = 0; rrIndex < event.recurrenceRules.length; rrIndex += 1) {
@@ -644,7 +644,7 @@ function _expandSingleRule(rule, startMs, ctx) {
644
644
  byMonthSet = Object.create(null);
645
645
  for (var mi = 0; mi < rule.byMonth.length; mi += 1) {
646
646
  var mn = parseInt(rule.byMonth[mi], 10);
647
- if (isFinite(mn) && mn >= 1 && mn <= 12) byMonthSet[mn] = true; // allow:raw-byte-literal — 12 calendar months
647
+ if (isFinite(mn) && mn >= 1 && mn <= 12) byMonthSet[mn] = true; // 12 calendar months
648
648
  }
649
649
  }
650
650
  var byMonthDaySet = null;
@@ -652,7 +652,7 @@ function _expandSingleRule(rule, startMs, ctx) {
652
652
  byMonthDaySet = Object.create(null);
653
653
  for (var mdi = 0; mdi < rule.byMonthDay.length; mdi += 1) {
654
654
  var mdn = parseInt(rule.byMonthDay[mdi], 10);
655
- if (isFinite(mdn) && mdn !== 0 && mdn >= -31 && mdn <= 31) byMonthDaySet[mdn] = true; // allow:raw-byte-literal — calendar day-of-month bounds
655
+ if (isFinite(mdn) && mdn !== 0 && mdn >= -31 && mdn <= 31) byMonthDaySet[mdn] = true; // calendar day-of-month bounds
656
656
  }
657
657
  }
658
658
  // RFC 5545 §3.3.10 — BYWEEKNO refines yearly recurrences to specific
@@ -663,7 +663,7 @@ function _expandSingleRule(rule, startMs, ctx) {
663
663
  byWeekNoSet = Object.create(null);
664
664
  for (var wni = 0; wni < rule.byWeekNo.length; wni += 1) {
665
665
  var wn = parseInt(rule.byWeekNo[wni], 10);
666
- if (isFinite(wn) && wn !== 0 && wn >= -53 && wn <= 53) byWeekNoSet[wn] = true; // allow:raw-byte-literal — ISO 8601 week-number bounds
666
+ if (isFinite(wn) && wn !== 0 && wn >= -53 && wn <= 53) byWeekNoSet[wn] = true; // ISO 8601 week-number bounds
667
667
  }
668
668
  }
669
669
  // BYYEARDAY — day-of-year (1..366 or -1..-366; negative counts from
@@ -673,7 +673,7 @@ function _expandSingleRule(rule, startMs, ctx) {
673
673
  byYearDaySet = Object.create(null);
674
674
  for (var ydi = 0; ydi < rule.byYearDay.length; ydi += 1) {
675
675
  var yd = parseInt(rule.byYearDay[ydi], 10);
676
- if (isFinite(yd) && yd !== 0 && yd >= -366 && yd <= 366) byYearDaySet[yd] = true; // allow:raw-byte-literal — day-of-year bounds
676
+ if (isFinite(yd) && yd !== 0 && yd >= -366 && yd <= 366) byYearDaySet[yd] = true; // day-of-year bounds
677
677
  }
678
678
  }
679
679
  // BYHOUR / BYMINUTE / BYSECOND — time-of-day filters. RFC 5545 §3.3.10
@@ -695,8 +695,8 @@ function _expandSingleRule(rule, startMs, ctx) {
695
695
  // unfiltered candidate per RFC 5545's tolerant grammar.
696
696
  return hasAny ? s : null;
697
697
  }
698
- var byHourSet = _bySet(rule.byHour, 0, 23); // allow:raw-byte-literal — RFC 5545 hour range
699
- var byMinuteSet = _bySet(rule.byMinute, 0, 59); // allow:raw-byte-literal — RFC 5545 minute range
698
+ var byHourSet = _bySet(rule.byHour, 0, 23); // RFC 5545 hour range
699
+ var byMinuteSet = _bySet(rule.byMinute, 0, 59); // RFC 5545 minute range
700
700
  var bySecondSet = _bySet(rule.bySecond, 0, 60); // allow:raw-byte-literal — RFC 5545 second range incl. leap second // allow:raw-time-literal — second-of-minute bound, not a duration
701
701
 
702
702
  function _isoWeekParts(d) {
@@ -706,7 +706,7 @@ function _expandSingleRule(rule, startMs, ctx) {
706
706
  // Returns { week, year }.
707
707
  var tmp = new Date(Date.UTC(d.getUTCFullYear(), d.getUTCMonth(), d.getUTCDate()));
708
708
  var dayOfWeek = tmp.getUTCDay() || 7;
709
- tmp.setUTCDate(tmp.getUTCDate() + 4 - dayOfWeek); // allow:raw-byte-literal — ISO week-year anchor (Thursday)
709
+ tmp.setUTCDate(tmp.getUTCDate() + 4 - dayOfWeek); // ISO week-year anchor (Thursday)
710
710
  var weekYear = tmp.getUTCFullYear();
711
711
  var yearStart = new Date(Date.UTC(weekYear, 0, 1));
712
712
  var week = Math.ceil((((tmp - yearStart) / 86400000) + 1) / 7); // allow:raw-time-literal — 86400000 ms/day, 7 days/week // allow:raw-byte-literal
@@ -720,7 +720,7 @@ function _expandSingleRule(rule, startMs, ctx) {
720
720
  return Math.floor((d - startOfYear) / 86400000) + 1; // allow:raw-time-literal — 86400000 ms/day // allow:raw-byte-literal
721
721
  }
722
722
  function _daysInYear(year) {
723
- return ((year % 4 === 0 && year % 100 !== 0) || year % 400 === 0) ? 366 : 365; // allow:raw-byte-literal — Gregorian leap-year rule
723
+ return ((year % 4 === 0 && year % 100 !== 0) || year % 400 === 0) ? 366 : 365; // Gregorian leap-year rule
724
724
  }
725
725
  function _matchesBy(t) {
726
726
  var d = new Date(t);
@@ -738,7 +738,7 @@ function _expandSingleRule(rule, startMs, ctx) {
738
738
  // a future explicit knob if demand surfaces.
739
739
  var iso = _isoWeekParts(d);
740
740
  if (iso.year !== d.getUTCFullYear()) return false;
741
- var lastWeek = _isoWeekOf(new Date(Date.UTC(d.getUTCFullYear(), 11, 28))); // allow:raw-byte-literal — Dec 28 always in last ISO week
741
+ var lastWeek = _isoWeekOf(new Date(Date.UTC(d.getUTCFullYear(), 11, 28))); // Dec 28 always in last ISO week
742
742
  if (!byWeekNoSet[iso.week] && !byWeekNoSet[-(lastWeek - iso.week + 1)]) return false;
743
743
  }
744
744
  if (byYearDaySet) {
@@ -814,7 +814,7 @@ function _bySetPosArray(raw) {
814
814
  var out = [];
815
815
  for (var i = 0; i < raw.length; i += 1) {
816
816
  var n = parseInt(raw[i], 10);
817
- if (isFinite(n) && n !== 0 && n >= -366 && n <= 366) out.push(n); // allow:raw-byte-literal — RFC 5545 §3.3.10 bysetpos range
817
+ if (isFinite(n) && n !== 0 && n >= -366 && n <= 366) out.push(n); // RFC 5545 §3.3.10 bysetpos range
818
818
  }
819
819
  return out.length > 0 ? out : null;
820
820
  }
@@ -864,7 +864,7 @@ function _expandWithBysetpos(ctx) {
864
864
  // periods (e.g. YEARLY = 366 days) can't loop forever.
865
865
  var candidates = [];
866
866
  var dayMs = period.startMs;
867
- var safety = 400; // allow:raw-byte-literal — period day cap (covers leap year 366 + slack)
867
+ var safety = 400; // period day cap (covers leap year 366 + slack)
868
868
  while (dayMs <= period.endMs && safety-- > 0 && stepBudgetRef.remaining > 0) {
869
869
  stepBudgetRef.remaining -= 1;
870
870
  var candidate = _withTimeOfDay(dayMs, hh, mm, ss, ms);
@@ -919,8 +919,8 @@ function _periodForIndex(freq, startDate, offset) {
919
919
  }
920
920
  if (freq === "monthly") {
921
921
  var bm = startDate.getUTCMonth() + offset;
922
- var by = startDate.getUTCFullYear() + Math.floor(bm / 12); // allow:raw-byte-literal — months/year
923
- var mm = ((bm % 12) + 12) % 12; // allow:raw-byte-literal — months/year
922
+ var by = startDate.getUTCFullYear() + Math.floor(bm / 12); // months/year
923
+ var mm = ((bm % 12) + 12) % 12; // months/year
924
924
  var ms = Date.UTC(by, mm, 1, 0, 0, 0, 0);
925
925
  var me = Date.UTC(by, mm + 1, 1, 0, 0, 0, 0) - 1;
926
926
  return { startMs: ms, endMs: me };
@@ -928,7 +928,7 @@ function _periodForIndex(freq, startDate, offset) {
928
928
  // weekly — align to WKST=Monday (RFC 5545 default WKST).
929
929
  var anchor = new Date(Date.UTC(startDate.getUTCFullYear(), startDate.getUTCMonth(), startDate.getUTCDate(), 0, 0, 0, 0));
930
930
  var dow = anchor.getUTCDay() || 7;
931
- anchor.setUTCDate(anchor.getUTCDate() - (dow - 1) + offset * 7); // allow:raw-byte-literal — days/week
931
+ anchor.setUTCDate(anchor.getUTCDate() - (dow - 1) + offset * 7); // days/week
932
932
  var ws = anchor.getTime();
933
933
  var we = ws + 7 * 86400000 - 1; // allow:raw-byte-literal + allow:raw-time-literal — 7-day window
934
934
  return { startMs: ws, endMs: we };
@@ -1021,7 +1021,7 @@ function _vtodoToJsCalTask(vt) {
1021
1021
  var percent = _firstValue(props["PERCENT-COMPLETE"]);
1022
1022
  if (percent !== null && percent !== undefined) {
1023
1023
  var pn = parseInt(percent, 10);
1024
- if (isFinite(pn) && pn >= 0 && pn <= 100) jsCal.percentComplete = pn; // allow:raw-byte-literal — RFC 8984 §6 percent range
1024
+ if (isFinite(pn) && pn >= 0 && pn <= 100) jsCal.percentComplete = pn; // RFC 8984 §6 percent range
1025
1025
  }
1026
1026
  var completed = _firstValue(props.COMPLETED);
1027
1027
  if (completed) jsCal.progressUpdated = _icalDateTimeToUtc(completed);
@@ -1202,7 +1202,7 @@ function _advance(ms, freq, interval) {
1202
1202
  var d = new Date(ms);
1203
1203
  switch (freq) {
1204
1204
  case "daily": d.setUTCDate(d.getUTCDate() + interval); break;
1205
- case "weekly": d.setUTCDate(d.getUTCDate() + 7 * interval); break; // allow:raw-byte-literal — 7 days/week
1205
+ case "weekly": d.setUTCDate(d.getUTCDate() + 7 * interval); break; // 7 days/week
1206
1206
  case "monthly": d.setUTCMonth(d.getUTCMonth() + interval); break;
1207
1207
  case "yearly": d.setUTCFullYear(d.getUTCFullYear() + interval); break;
1208
1208
  case "hourly": d.setUTCHours(d.getUTCHours() + interval); break;
@@ -1227,10 +1227,10 @@ function _foldLine(s) {
1227
1227
  // RFC 5545 §3.1 — content lines SHOULD NOT exceed 75 octets; fold
1228
1228
  // with CRLF + leading space. We let the joining code add the
1229
1229
  // trailing CRLF; this helper only inserts the intra-line fold.
1230
- if (s.length <= 75) return s; // allow:raw-byte-literal — RFC 5545 §3.1 line-length cap
1230
+ if (s.length <= 75) return s; // RFC 5545 §3.1 line-length cap
1231
1231
  var out = "";
1232
- for (var i = 0; i < s.length; i += 73) { // allow:raw-byte-literal — 73 = 75 minus the CR/LF wrap
1233
- out += (i === 0 ? "" : "\r\n ") + s.slice(i, i + 73); // allow:raw-byte-literal — same cap
1232
+ for (var i = 0; i < s.length; i += 73) { // 73 = 75 minus the CR/LF wrap
1233
+ out += (i === 0 ? "" : "\r\n ") + s.slice(i, i + 73); // same cap
1234
1234
  }
1235
1235
  return out;
1236
1236
  }
package/lib/cbor.js CHANGED
@@ -58,15 +58,15 @@ var { defineClass } = require("./framework-error");
58
58
 
59
59
  var CborError = defineClass("CborError", { alwaysPermanent: true });
60
60
 
61
- var DEFAULT_MAX_DEPTH = 64; // allow:raw-byte-literal — nesting depth, not a size
62
- var ABSOLUTE_MAX_DEPTH = 256; // allow:raw-byte-literal — nesting depth ceiling, not a size
61
+ var DEFAULT_MAX_DEPTH = 64; // nesting depth, not a size
62
+ var ABSOLUTE_MAX_DEPTH = 256; // nesting depth ceiling, not a size
63
63
  var DEFAULT_MAX_BYTES = C.BYTES.mib(16);
64
64
  var ABSOLUTE_MAX_BYTES = C.BYTES.mib(64);
65
65
 
66
66
  // CBOR / IEEE-754 wire constants (not byte sizes — protocol values).
67
- var CBOR_AI_1BYTE = 24; // allow:raw-byte-literal — RFC 8949 §3 additional-info boundary (inline vs 1-byte argument)
68
- var BYTES_64BIT = 8; // allow:raw-byte-literal — width of a CBOR uint64 / float64 argument, not a cap
69
- var FLOAT16_MANT_DIV = 1024; // allow:raw-byte-literal — IEEE 754 half-precision mantissa scale (2^10), not a size
67
+ var CBOR_AI_1BYTE = 24; // RFC 8949 §3 additional-info boundary (inline vs 1-byte argument)
68
+ var BYTES_64BIT = 8; // width of a CBOR uint64 / float64 argument, not a cap
69
+ var FLOAT16_MANT_DIV = 1024; // IEEE 754 half-precision mantissa scale (2^10), not a size
70
70
 
71
71
  /**
72
72
  * @primitive b.cbor.Tag
@@ -110,9 +110,9 @@ function _capInt(v, dflt, absolute) {
110
110
  // + SCITT depend on this — emitting float64 for a value representable
111
111
  // in float16 is non-canonical and trips requireDeterministic.
112
112
  function _encodeFloat(value) {
113
- if (Number.isNaN(value)) return Buffer.from([0xf9, 0x7e, 0x00]); // allow:raw-byte-literal — canonical half NaN (RFC 8949 §4.2.1)
114
- if (value === Infinity) return Buffer.from([0xf9, 0x7c, 0x00]); // allow:raw-byte-literal — half +Inf
115
- if (value === -Infinity) return Buffer.from([0xf9, 0xfc, 0x00]); // allow:raw-byte-literal — half -Inf
113
+ if (Number.isNaN(value)) return Buffer.from([0xf9, 0x7e, 0x00]); // canonical half NaN (RFC 8949 §4.2.1)
114
+ if (value === Infinity) return Buffer.from([0xf9, 0x7c, 0x00]); // half +Inf
115
+ if (value === -Infinity) return Buffer.from([0xf9, 0xfc, 0x00]); // half -Inf
116
116
  var half = _doubleToHalfBits(value);
117
117
  if (half >= 0) { var hb = Buffer.alloc(3); hb[0] = 0xf9; hb.writeUInt16BE(half, 1); return hb; }
118
118
  var f4 = Buffer.alloc(5); f4[0] = 0xfa; f4.writeFloatBE(value, 1);
@@ -167,10 +167,10 @@ function _head(major, argument) {
167
167
  }
168
168
 
169
169
  function _encodeValue(value, opts) {
170
- if (value === null) return Buffer.from([0xf6]); // allow:raw-byte-literal — CBOR null simple value
171
- if (value === undefined) return Buffer.from([0xf7]); // allow:raw-byte-literal — CBOR undefined simple value
172
- if (value === true) return Buffer.from([0xf5]); // allow:raw-byte-literal — CBOR true simple value
173
- if (value === false) return Buffer.from([0xf4]); // allow:raw-byte-literal — CBOR false simple value
170
+ if (value === null) return Buffer.from([0xf6]); // CBOR null simple value
171
+ if (value === undefined) return Buffer.from([0xf7]); // CBOR undefined simple value
172
+ if (value === true) return Buffer.from([0xf5]); // CBOR true simple value
173
+ if (value === false) return Buffer.from([0xf4]); // CBOR false simple value
174
174
 
175
175
  if (typeof value === "number") {
176
176
  // Exact integers within the safe range encode as CBOR integers;
package/lib/cdn-cache-control.js CHANGED
@@ -251,7 +251,7 @@ function build(opts) {
251
251
  // regex. RFC 7234 §5.2 token directives are tiny in practice
252
252
  // (max-age = 7 chars, stale-while-revalidate = 22); 64 is the
253
253
  // operator-headroom ceiling.
254
- var DIRECTIVE_MAX = 64; // allow:raw-byte-literal — directive key/value length cap
254
+ var DIRECTIVE_MAX = 64; // directive key/value length cap
255
255
  for (var e = 0; e < ekeys.length; e += 1) {
256
256
  var ek = ekeys[e];
257
257
  if (ek.length === 0 || ek.length > DIRECTIVE_MAX || !DIRECTIVE_KEY_RE.test(ek)) {
package/lib/cert.js CHANGED
@@ -69,8 +69,8 @@ var log = boot("cert");
69
69
  var DEFAULT_RENEW_INTERVAL_MS = C.TIME.hours(6);
70
70
  var DEFAULT_MIN_DAYS_BEFORE_EXPIRY = 14;
71
71
  var DEFAULT_OCSP_REFRESH_MS = C.TIME.hours(12);
72
- var MAX_DOMAINS_PER_CERT = 100; // allow:raw-byte-literal — operator-facing manifest size cap, not a byte count (RFC 6066 SNI permits more)
73
- var MAX_CERTS_PER_MANAGER = 1000; // allow:raw-byte-literal — operator-facing manifest size cap, not a byte count
72
+ var MAX_DOMAINS_PER_CERT = 100; // operator-facing manifest size cap, not a byte count (RFC 6066 SNI permits more)
73
+ var MAX_CERTS_PER_MANAGER = 1000; // operator-facing manifest size cap, not a byte count
74
74
 
75
75
  function _positiveFiniteOrDefault(value, defaultValue, label, code) {
76
76
  if (value === undefined || value === null) return defaultValue;
@@ -481,9 +481,9 @@ function create(opts) {
481
481
  // counts. The framework's leaf-key alg names embed the bit length
482
482
  // verbatim ("rsa-2048" / "rsa-3072" / "rsa-4096"), so the literals
483
483
  // here are protocol-constant references.
484
- var RSA_MODULUS_BITS_2048 = 2048; // allow:raw-byte-literal — RSA modulus length, not a byte count
485
- var RSA_MODULUS_BITS_3072 = 3072; // allow:raw-byte-literal — RSA modulus length, not a byte count
486
- var RSA_MODULUS_BITS_4096 = 4096; // allow:raw-byte-literal — RSA modulus length, not a byte count
484
+ var RSA_MODULUS_BITS_2048 = 2048; // RSA modulus length, not a byte count
485
+ var RSA_MODULUS_BITS_3072 = 3072; // RSA modulus length, not a byte count
486
+ var RSA_MODULUS_BITS_4096 = 4096; // RSA modulus length, not a byte count
487
487
 
488
488
  function _generateLeafKeypair(keyAlg) {
489
489
  switch (keyAlg) {
package/lib/cloud-events.js CHANGED
@@ -275,8 +275,8 @@ function parse(envelope) {
275
275
 
276
276
  // ---- validate / isValid (non-throwing spec check) ----
277
277
 
278
- var INT_MIN = -2147483648; // allow:raw-byte-literal — CloudEvents Integer type range
279
- var INT_MAX = 2147483647; // allow:raw-byte-literal — CloudEvents Integer type range
278
+ var INT_MIN = -2147483648; // CloudEvents Integer type range
279
+ var INT_MAX = 2147483647; // CloudEvents Integer type range
280
280
  // JSON-formatted media type essence (after the parameters are stripped):
281
281
  // type/json or type/anything+json. Each run is bounded by the single "/"
282
282
  // separator so the match is linear (no overlapping quantifiers → no
@@ -515,8 +515,8 @@ function _pctEncode(s) {
515
515
  var out = "";
516
516
  for (var i = 0; i < bytes.length; i += 1) {
517
517
  var by = bytes[i];
518
- if (by < 0x21 || by > 0x7E || by === 0x22 || by === 0x25) { // allow:raw-byte-literal — printable-ASCII bounds + double-quote and percent (HTTP binding header rule)
519
- out += "%" + bytes[i].toString(16).toUpperCase().padStart(2, "0"); // allow:raw-byte-literal — 16 is the hex radix
518
+ if (by < 0x21 || by > 0x7E || by === 0x22 || by === 0x25) { // printable-ASCII bounds + double-quote and percent (HTTP binding header rule)
519
+ out += "%" + bytes[i].toString(16).toUpperCase().padStart(2, "0"); // 16 is the hex radix
520
520
  } else {
521
521
  out += String.fromCharCode(by);
522
522
  }
@@ -528,7 +528,7 @@ function _pctDecode(s) {
528
528
  var i = 0;
529
529
  while (i < s.length) {
530
530
  if (s[i] === "%" && /^[0-9A-Fa-f]{2}$/.test(s.slice(i + 1, i + 3))) {
531
- bytes.push(parseInt(s.slice(i + 1, i + 3), 16)); // allow:raw-byte-literal — 16 is the hex radix
531
+ bytes.push(parseInt(s.slice(i + 1, i + 3), 16)); // 16 is the hex radix
532
532
  i += 3;
533
533
  } else {
534
534
  var ch = Buffer.from(s[i], "utf8");
package/lib/cms-codec.js CHANGED
@@ -107,14 +107,14 @@ var OID = Object.freeze({
107
107
  });
108
108
 
109
109
  // Refusal ceilings.
110
- var MAX_DEPTH = 32; // allow:raw-byte-literal — ASN.1 recursion ceiling
110
+ var MAX_DEPTH = 32; // ASN.1 recursion ceiling
111
111
  var DEFAULT_MAX_LEN = 64 * 1024 * 1024; // allow:raw-byte-literal — 64 MiB default decode cap
112
112
 
113
113
  // Universal-tag bytes used in encode helpers.
114
- var TAG_SEQUENCE = 0x30; // allow:raw-byte-literal — ASN.1 SEQUENCE constructed
115
- var TAG_SET = 0x31; // allow:raw-byte-literal — ASN.1 SET constructed
116
- var TAG_UTCTIME = 0x17; // allow:raw-byte-literal — UTCTime universal
117
- var TAG_GENTIME = 0x18; // allow:raw-byte-literal — GeneralizedTime universal
114
+ var TAG_SEQUENCE = 0x30; // ASN.1 SEQUENCE constructed
115
+ var TAG_SET = 0x31; // ASN.1 SET constructed
116
+ var TAG_UTCTIME = 0x17; // UTCTime universal
117
+ var TAG_GENTIME = 0x18; // GeneralizedTime universal
118
118
 
119
119
  /**
120
120
  * @primitive b.cms.encodeSignedData
@@ -197,7 +197,7 @@ function encodeSignedData(opts) {
197
197
 
198
198
  // SignedData SEQUENCE per §5.1.
199
199
  var signedDataSeq = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
200
- asn1.writeInteger(Buffer.from([1])), // allow:raw-byte-literal — CMSVersion 1 per §5.1
200
+ asn1.writeInteger(Buffer.from([1])), // CMSVersion 1 per §5.1
201
201
  digestAlgs,
202
202
  encapInfo,
203
203
  certsBlock,
@@ -258,7 +258,7 @@ function encodeEnvelopedData(opts) {
258
258
  "encodeEnvelopedData: opts.recipients must be a non-empty array");
259
259
  }
260
260
  // Fresh ChaCha20-Poly1305 content key.
261
- var contentKey = bCrypto.generateBytes(32); // allow:raw-byte-literal — 256-bit ChaCha20 key
261
+ var contentKey = bCrypto.generateBytes(32); // 256-bit ChaCha20 key
262
262
 
263
263
  // recipientInfos SET — one KEMRecipientInfo per recipient.
264
264
  var ris = opts.recipients.map(function (r) {
@@ -272,7 +272,7 @@ function encodeEnvelopedData(opts) {
272
272
  // EnvelopedData SEQUENCE per §6.1. CMSVersion 4 (RFC 9629 §3 — when
273
273
  // any RecipientInfo is OtherRecipientInfo, here KEMRecipientInfo).
274
274
  var envelopedSeq = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
275
- asn1.writeInteger(Buffer.from([4])), // allow:raw-byte-literal — CMSVersion 4 per RFC 9629 §3
275
+ asn1.writeInteger(Buffer.from([4])), // CMSVersion 4 per RFC 9629 §3
276
276
  recipientInfosSet,
277
277
  encContent,
278
278
  ]));
@@ -334,7 +334,7 @@ function decode(buf, opts) {
334
334
  }
335
335
  if (!(node.tag === asn1.TAG.SEQUENCE && node.constructed)) {
336
336
  throw new CmsCodecError("cms/bad-content-info",
337
- "decode: top-level must be SEQUENCE (got tag 0x" + node.tag.toString(16) + ")"); // allow:raw-byte-literal — hex radix for error-message formatting
337
+ "decode: top-level must be SEQUENCE (got tag 0x" + node.tag.toString(16) + ")"); // hex radix for error-message formatting
338
338
  }
339
339
  // ContentInfo SEQUENCE children: { contentType OID, [0] EXPLICIT ANY }.
340
340
  var children;
@@ -399,7 +399,7 @@ function _writeImplicitConstructed(tagNumber, payload) {
399
399
  // [N] IMPLICIT context-specific CONSTRUCTED — for wrapping SEQUENCE /
400
400
  // SET payloads (e.g. certificates [0], crls [1], OtherRecipientInfo
401
401
  // value).
402
- var tagByte = 0xa0 | (tagNumber & 0x1f); // allow:raw-byte-literal — context-specific constructed mask
402
+ var tagByte = 0xa0 | (tagNumber & 0x1f); // context-specific constructed mask
403
403
  return asn1.writeNode(tagByte, payload);
404
404
  }
405
405
 
@@ -410,7 +410,7 @@ function _writeImplicitPrimitive(tagNumber, value) {
410
410
  // reject the structure (Codex P1 finding on PR #102 — RecipientIdentifier
411
411
  // CHOICE's SubjectKeyIdentifier alternative is `[0] IMPLICIT OCTET STRING`,
412
412
  // a primitive type).
413
- var tagByte = 0x80 | (tagNumber & 0x1f); // allow:raw-byte-literal — context-specific primitive mask
413
+ var tagByte = 0x80 | (tagNumber & 0x1f); // context-specific primitive mask
414
414
  return asn1.writeNode(tagByte, value);
415
415
  }
416
416
 
@@ -459,7 +459,7 @@ function _signerInfo(signer, msgDigest, digestOid) {
459
459
  // SignerInfo, and use the original `31 LL VV...` form as the signature
460
460
  // input.
461
461
  var signatureInput = signedAttrs;
462
- var signedAttrsImplicit = Buffer.concat([Buffer.from([0xa0]), // allow:raw-byte-literal — IMPLICIT [0] tag per RFC 5652 §5.3
462
+ var signedAttrsImplicit = Buffer.concat([Buffer.from([0xa0]), // IMPLICIT [0] tag per RFC 5652 §5.3
463
463
  signedAttrs.slice(1)]);
464
464
 
465
465
  var signature;
@@ -474,7 +474,7 @@ function _signerInfo(signer, msgDigest, digestOid) {
474
474
 
475
475
  // SignerInfo SEQUENCE per §5.3 (issuerAndSerialNumber variant — CMSVersion 1).
476
476
  return asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
477
- asn1.writeInteger(Buffer.from([1])), // allow:raw-byte-literal — CMSVersion 1 for issuerAndSerialNumber
477
+ asn1.writeInteger(Buffer.from([1])), // CMSVersion 1 for issuerAndSerialNumber
478
478
  _issuerAndSerialNumber(signer.certificate),
479
479
  _algorithmIdentifier(digestOid),
480
480
  signedAttrsImplicit,
@@ -576,9 +576,9 @@ function _reEncodeNode(node) {
576
576
  // TLV. writeNode rebuilds canonical DER from the original tag byte +
577
577
  // value bytes; the tag byte is reconstructed from tagClass + constructed +
578
578
  // tag number.
579
- var classBits = (node.tagClass & 0x03) << 6; // allow:raw-byte-literal — tag-class shift
580
- var consBit = node.constructed ? 0x20 : 0x00; // allow:raw-byte-literal — constructed bit
581
- var tagBits = node.tag & 0x1f; // allow:raw-byte-literal — short-form tag
579
+ var classBits = (node.tagClass & 0x03) << 6; // tag-class shift
580
+ var consBit = node.constructed ? 0x20 : 0x00; // constructed bit
581
+ var tagBits = node.tag & 0x1f; // short-form tag
582
582
  var tagByte = classBits | consBit | tagBits;
583
583
  return asn1.writeNode(tagByte, node.value);
584
584
  }
@@ -620,7 +620,7 @@ function _recipientInfo(recipient, contentKey) {
620
620
  // composition path.
621
621
  var infoLabel = Buffer.from("cms/kemri/chacha20-poly1305", "ascii");
622
622
  var kdfInput = Buffer.concat([Buffer.from(encap.sharedSecret), infoLabel]);
623
- var kek = bCrypto.kdf(kdfInput, 32); // allow:raw-byte-literal — 256-bit KEK
623
+ var kek = bCrypto.kdf(kdfInput, 32); // 256-bit KEK
624
624
  // Wrap the content key under the KEK using ChaCha20-Poly1305.
625
625
  var wrapped;
626
626
  try { wrapped = bCrypto.encryptPacked(contentKey, kek); }
@@ -631,7 +631,7 @@ function _recipientInfo(recipient, contentKey) {
631
631
  // KEMRecipientInfo SEQUENCE.
632
632
  // Simplified ordering, version 0 per RFC 9629 §3.
633
633
  var kemRi = asn1.writeNode(TAG_SEQUENCE, Buffer.concat([
634
- asn1.writeInteger(Buffer.from([0])), // allow:raw-byte-literal — KEMRecipientInfo version 0
634
+ asn1.writeInteger(Buffer.from([0])), // KEMRecipientInfo version 0
635
635
  // rid CHOICE per RFC 9629 §3: this module ships the [0] IMPLICIT
636
636
  // SubjectKeyIdentifier alternative — SKI is `[0] IMPLICIT OCTET
637
637
  // STRING` (PRIMITIVE per RFC 5652 §10.2.4). The constructed form
@@ -642,7 +642,7 @@ function _recipientInfo(recipient, contentKey) {
642
642
  _algorithmIdentifier(OID.mlkem1024), // kem
643
643
  asn1.writeOctetString(Buffer.from(encap.cipherText)), // kemct
644
644
  _algorithmIdentifier(OID.shake256), // kdf
645
- asn1.writeInteger(Buffer.from([32])), // allow:raw-byte-literal — kekLength = 32 bytes
645
+ asn1.writeInteger(Buffer.from([32])), // kekLength = 32 bytes
646
646
  _algorithmIdentifier(OID.chacha20Poly1305), // wrap (also used as content-encryption AlgId; same OID)
647
647
  asn1.writeOctetString(wrapped), // encryptedKey
648
648
  ]));
@@ -653,7 +653,7 @@ function _recipientInfo(recipient, contentKey) {
653
653
  asn1.writeOid(OID.kemri),
654
654
  kemRi,
655
655
  ]);
656
- return asn1.writeNode(0xa4, oriValue); // allow:raw-byte-literal — [4] IMPLICIT context-specific constructed (ori CHOICE)
656
+ return asn1.writeNode(0xa4, oriValue); // [4] IMPLICIT context-specific constructed (ori CHOICE)
657
657
  }
658
658
 
659
659
  function _encryptedContentInfo(plaintext, contentKey) {
@@ -797,7 +797,7 @@ function _readSignerInfo(siNode) {
797
797
  var signedAttrsRaw = null;
798
798
  if (c[idx] && c[idx].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && c[idx].tag === 0) {
799
799
  var implicitRaw = _reEncodeNode(c[idx]);
800
- signedAttrsRaw = Buffer.concat([Buffer.from([0x31]), implicitRaw.slice(1)]); // allow:raw-byte-literal — universal SET tag per RFC 5652 §5.4
800
+ signedAttrsRaw = Buffer.concat([Buffer.from([0x31]), implicitRaw.slice(1)]); // universal SET tag per RFC 5652 §5.4
801
801
  idx += 1;
802
802
  }
803
803
  var sigAlgOid = _readAlgIdOid(c[idx]); idx += 1;
package/lib/codepoint-class.js CHANGED
@@ -50,7 +50,7 @@
50
50
  * WJ U+2060 BOM U+FEFF
51
51
  */
52
52
 
53
- var HEX_RADIX = 16; // allow:raw-byte-literal — base-16 radix, not byte size
53
+ var HEX_RADIX = 16; // base-16 radix, not byte size
54
54
 
55
55
  function hex4(cp) {
56
56
  var s = cp.toString(HEX_RADIX).toUpperCase();
@@ -94,17 +94,17 @@ var BOM_CHAR = fromCp(0xFEFF);
94
94
  // is a single edit.
95
95
  var SCRIPT_RANGES = {
96
96
  latin: [[0x0041, 0x005A], [0x0061, 0x007A],
97
- [0x00C0, 0x024F], [0x1E00, 0x1EFF]], // allow:raw-byte-literal — Unicode script ranges
98
- cyrillic: [[0x0400, 0x04FF], [0x0500, 0x052F]], // allow:raw-byte-literal — Unicode Cyrillic + Cyrillic Supplement
99
- greek: [[0x0370, 0x03FF], [0x1F00, 0x1FFF]], // allow:raw-byte-literal — Unicode Greek + Greek Extended
100
- armenian: [[0x0530, 0x058F]], // allow:raw-byte-literal — Unicode Armenian
101
- cherokee: [[0x13A0, 0x13FF], [0xAB70, 0xABBF]], // allow:raw-byte-literal — Unicode Cherokee + Cherokee Supplement
102
- han: [[0x4E00, 0x9FFF]], // allow:raw-byte-literal — CJK Unified Ideographs
103
- hiragana: [[0x3040, 0x309F]], // allow:raw-byte-literal — Hiragana
104
- katakana: [[0x30A0, 0x30FF]], // allow:raw-byte-literal — Katakana
105
- hangul: [[0xAC00, 0xD7AF]], // allow:raw-byte-literal — Hangul Syllables
106
- arabic: [[0x0600, 0x06FF]], // allow:raw-byte-literal — Arabic
107
- hebrew: [[0x0590, 0x05FF]], // allow:raw-byte-literal — Hebrew
97
+ [0x00C0, 0x024F], [0x1E00, 0x1EFF]], // Unicode script ranges
98
+ cyrillic: [[0x0400, 0x04FF], [0x0500, 0x052F]], // Unicode Cyrillic + Cyrillic Supplement
99
+ greek: [[0x0370, 0x03FF], [0x1F00, 0x1FFF]], // Unicode Greek + Greek Extended
100
+ armenian: [[0x0530, 0x058F]], // Unicode Armenian
101
+ cherokee: [[0x13A0, 0x13FF], [0xAB70, 0xABBF]], // Unicode Cherokee + Cherokee Supplement
102
+ han: [[0x4E00, 0x9FFF]], // CJK Unified Ideographs
103
+ hiragana: [[0x3040, 0x309F]], // Hiragana
104
+ katakana: [[0x30A0, 0x30FF]], // Katakana
105
+ hangul: [[0xAC00, 0xD7AF]], // Hangul Syllables
106
+ arabic: [[0x0600, 0x06FF]], // Arabic
107
+ hebrew: [[0x0590, 0x05FF]], // Hebrew
108
108
  };
109
109
 
110
110
  // scriptFor(cp) — returns the script-name string for a codepoint, or